SUMMARY: IP forwarding across a CIPE VPN is working, but NAT across
the same CIPE VPN is failing. tcpdump shows packets only on one side
of the interface.
Note: this question pertains to running NAT over CIPE, not to running
CIPE over NAT. In other words, I have a working CIPE VPN between two
specific machines. Each machine is on a private network. I'd like to
talk between the two private networks, but one side doesn't have a
route to the other. I am successful in routing between the two
networks using the CIPE boxes as gateways if I establish all the
required routing, but not in doing NAT over the CIPE interface.
Here are the details:
site1-machine: eth0: 10.160.59.1/24
site1-gateway: eth0: 10.160.59.17/24
cipcb0: 192.168.14.2/24
eth1: (dynamic public address)
site2-gateway: eth0: 192.168.0.3/24
cipcb0: 192.168.14.1/24
eth1: (static public address)
site2-machine: eth0: 192.168.0.1/24
All machines are running RedHat Linux 7.1 with cipe 1.4.6 as
distributed in RedHat 7.1 and with the default RedHat 7.1 2.4.2-based
kernel. I've checked 1.5.2 but not installed it as it doesn't seem
that any changes are relevant to this problem.
site1-machine has a route for 192.168.0.0/16 to site1-gateway.
site1-gateway has a route to 192.168.0.0/16 through interface cipcb0.
site2-machine has site2-gateway as its default gateway.
site1-gateway has IP forwarding enabled and accepts forwarding from
10.160.59.0/24 to any destination.
site2-gateway has IP forwarding enabled and accepts forwarding from
192.168.0.0/16 to any destination.
site1's options file:
ipaddr 192.168.14.2
ptpaddr 192.168.14.1
peer (site2's public address):9999
key (key)
dynip
site2's options file
ipaddr 192.168.14.1
ptpaddr 192.168.14.2
peer 127.0.0.1:9999
me (site 2's public address):9999
key (key)
What works:
site1-gateway and site2-gateway can ping each other. site2-gateway
sees the source address as 192.168.14.2. site1-gateway can ping
either 192.168.14.1 or 192.168.0.3.
site1-gateway and site2-machine can both ping each other since
site1-gateway knows that site2-machine is on the other side of the
CIPE VPN and site2-machine routes all non-local packets through
site2-gateway. site2-machine can see 192.168.14.1 but not
10.160.59.17, which is fine.
In order to get site1-machine and site2-machine to see each other, I
should be able to tell site1-gateway to NAT any packets being
forwarded to 192.168.0.0/16 to source address 192.168.14.2. This does
not work. I know, however, that I can forward packets through this
VPN without NAT. Here are the details:
If I teach site2-gateway about 10.160.59.0/24 with
route add -net 10.160.59.0/24 dev cipbc0
iptables -t nat -I POSTROUTING -d 10.160.59.0/24 -j ACCEPT
iptables -t filter -I FORWARD -d 10.160.59.0/24 -j ACCEPT
then site1-machine and site2-machine can ping each other.
Furthermore, if I run tcpdump -i cipcb0 on both site1-gateway and
site2-gateway, I can see both the echo request and echo reply packets,
and I can see 192.168.0.1 and 10.160.59.1 as the source/destination
addresses. This is exactly as expected. Everything works perfectly.
My two networks can talk to each other.
However, I don't want site2 to know about 10.160.59.0/24. I want
site1-gateway to SNAT all its traffic to 192.168.14.2. This should be
easy. Once the above situation works fine, I should simply need to
run the following on site1-gateway:
iptables -t nat -I POSTROUTING -d 192.168.0.0/16 -j SNAT --to-source
192.168.14.2
and everything should just work. (Note that site2-machine can ping
192.168.14.2 fine.) However, when I give this command, my tcpdump on
site1-gateway shows the echo requests with the source of 192.168.14.2
and the destination of 192.168.0.1 as expected, but site2-gateway's
tcpdump shows nothing!
In other words, CIPE does not appear to be forwarding the traffic at
all. tcpdump on site1 shows the packets being sent, but tcpdump on
site2 does not show the packets being received.
The thing that's baffling to me is that when I turn SNAT to the
site1's CIPE ip address, the cipe interface on site2 no longer appears
to be receiving packets even though the interface on site1 appears to
sending them. Running strace on the ciped-cb processes is
unenlightening. Any further tips on diagnosing this will be helpful.
I have administrative control of all machines in question, and I am
the only person using this VPN at the moment. I have full freedom to
bring things up and down as required, so I can try experiments that
people may suggest. One thing I have tried is to explicitly specify
both the peer: and me: parameters as static addresses (using the
address I happen to have now) on both sides. This changes nothing --
I get exactly the same results. When I try to NAT through the cipe
interface, tcpdump shows the packets on one side but not on the other.
For what it's worth, I used to use ppp over stunnel with otherwise
identical configurations. NAT across that VPN worked fine.
--
E. Jay Berkenbilt <ejb,AT,ql,DOT,org>
http://www.ql.org/q/